Review: Panda Cloud Antivirus

Apr 29 2009, 21:20 by
by Steve Ragan -

NOTE:The Tech Herald has posted a review of Cloud Antivirus 1.0. If you would like to read it, head here.

Panda has released a free anti-Virus offering that resides mostly off the host system and in the cloud. Using 'Collective Intelligence', along with distributed computing and a global and community-based platform, Panda has said this new offering is entirely different from what it's created in the past. So, has it succeeded?

Starting off, installing the new Panda protection was just as fast as expected. It took no time at all, just under four minutes in the lab in order to install and start using the software.

If you read the previous article on Panda’s Cloud Antivirus, then you know the first thing you see is a seriously stripped down interface. This is a good thing, as there is no way an average user can get lost using this particular program.

As you can see from the images below, only four screens make up the entire program.

The first screen is what you see when launching the software from the taskbar, by clicking on the familiar Panda logo. If you see the big green checkmark, all is good on the system. It really is that simple in terms of a heads-up display. During testing, the only time this changed was whenever Malware was executed.

The second screenshot shows the 'Settings' tab. Here users can select the option to allow Panda Cloud Antivirus to send anonymous information to the Collective Intelligence (CI) cloud, enabling new strands of Malware to be processed and scanned.

What this means is that, by allowing this by default, users can help others by letting Panda take samples and process them should the program come across any 'new' types of Malware. This is how CI works, as explained in the previous article -- It turns the community into a Malware processing and detection lab. If one person is infected, CI will clean the infection while at the same time protecting other users from the threat.

CI is also how Panda’s Cloud Antivirus lowers system resource usage. This is because all the protections reside within a distributed network of datacenters (or 'the cloud' if you will), which, in turn, absolves the need for the user's computer to crunch data and page through an endless amount of signatures to process potential Malware.

The third screenshot represents the scanning selection. Here users can perform on-demand scanning of their entire system, or individual folders and files. The simple interface does what it says, and only that, so the drawback here is that there is no scheduled scanning.

However, while using the system, the CI actively monitors processes and new applications. So, if something is viewed as a threat, Cloud Antivirus will take action to remove it. If the removal was in error, users can always reverse the action by using the Recycle Bin find inside Cloud Antivirus.

To access the Recycle Bin, on the lower right of the interface, simply click the blue arrow, as shown below. This arrow is visible from any tab, so there is always access to it.

From there, simply select the application flagged in error and allow it.

The final tab is the 'Reporting' tab. If users want an overview of all the threats detected by Cloud Antivirus, as well as the distribution of types of threats detected, they can find that information here.

Again, the interface is clean. Users can only access what's needed and, while there are no automatic settings for scanning, the usage of CI covers monitoring in real-time.

The only downside is that, if Panda flags a program as malicious or potentially harmful, users can whitelist it and allow it to run from the Recycle Bin. This means a novice could allow something malicious after the fact, so caution should be exercised whenever using this feature.

Testing Panda’s Cloud Antivirus was down and dirty. The system used was an Intel Pentium D 3.4GHz CPU (Dual Core) with 1024MBs of RAM. The lab test computer was running Windows XP (SP3), Internet Explorer 7, and was updated with all current Microsoft patches.

There were 39 new Malware samples tested, this is because the samples tested in the first review would have been classified and recorded by Panda over time. So the idea was to test the new product with real samples, collected live from known malicious domains.

hxxp://lieliteautobody.cn/load.php?id=x

The first test, on the domain above, was to install five samples of Malware, thanks in part to the loader that's served up by this site. Please note that, as of the time this review was written, the Malware served remains live. Visiting the above domain will infect your system.

The image below shows that Panda did detect the new Malware and duly blocked it. The top image is the desktop alert, and the bottom image shows the reporting section. The top image appeared rather quickly, the second the Malware was executed. Shortly after, three more alerts appeared. The other alerts notified us of the detection of a single instance of a virus.

At the time the images were taken, CI had not updated with the actual title of the Malware. This could be a bug, as the system was online at the time of testing. However, what happens is that CI will use the Internet to test the blocked Malware and then provide a name and link to more information in the reporting section.

The launcher, which downloads and serves the samples of Malware, has a detection listing of three out of 40 on Virus Total [VT Report 04.29.2009 16:10 CET]. It is important to note that Panda is not one of the vendors listed as detecting the launcher as malicious.

In this test, Cloud Antivirus did not stop the loader from executing. This is important to note, as the promise from Panda to users applying Cloud Antivirus is quick detection and removal. So when the loader was executed, Panda lived up to its promise by blocking the payloads from infecting the system.

hxxp://y18032009.com/the/?pid=x

The second test of a known malicious URL leads to the Koobface family of Malware. This loader is in the form of a fake YouTube page that asks users to install an update to their Flash Player. Note again, this is a live URL and should not be visited as it will infect your system.

*

The interesting thing about this test is that the downloaded Malware has a detection listing of 13 out of 40 on Virus Total [VT Report 04.29.2009 16:29 CET], and once again Panda isn’t one of the vendors listed as having detection. When executed, Panda did not instantly warn of infection, as in the previous test. However, once a scan was launched after infection was confirmed, it detected and removed the Malware. A restart was required to complete the process.

So did Panda fail this second test? In a way, but considering that users should always scan their systems, the fact that it did detect Malware during the scan means the program did what it was supposed to. Yet, at the same time, unlike the previous test, the system was infected by the sample. With that said, once the Malware started working, prior to the reboot, it did flag one of the payload files (796525.dll) as malicious.

After the system was rebooted, the same site and Malware was launched again. This was done to test the Collective Intelligence. After all, the system was infected before the reboot, and Panda reported the infection after the scan. If CI worked, then the second infection should fail. It did.

This time, the two loader files (796525.dll and new_drv.sys) used to further infect the system were detected and removed before they could act. It should also be noted that, as seen with the first test, the initial loader, the one downloaded as a codec that delivers the payload, was not flagged as malicious.

KeyGen testing was another aspect in the lab trials of Cloud Antivirus. Like the test performed in the lab on other products, Panda’s Cloud Antivirus was tested to see if it would detect an archive of malicious KeyGens. The archive itself is full of Malware and, aside from the malicious KeyGens themselves, the extraction process will drop a Trojan into the system. As seen in the KeyGen test on Panda Internet Security, the dropped Trojan was detected and the extraction process halted.

When it came to a password-protected archive, containing 39 unique samples of Malware, Panda's offering did not detect the samples and did not flag the archive as password protected or potentially harmful. There are also no settings in the Cloud Antivirus application to help adjust and trigger these types of alerts.

Once the samples were extracted, Panda flagged 38 of the 39 samples as malicious, deleting all but one of them. The sample left behind was 'Sality.K', a known malicious application. However, Panda did at least flag this item as suspicious [VT Report 4.29.2009 17:27 CET]. The sample itself was fully operational and, once executed, infected the system. A scan was run after confirmed infection, and Panda located and disabled the Malware.

To make things interesting, another 50 samples were tested. While the test was successful, Panda had to be halted to get a solid result. This is because once the samples were extracted and placed on the system, Panda simply started deleting them. This behavior was unexpected, as it did not do this when the original 39 samples were extracted.

After the second round of extractions, with zero files in the sample folder, Panda was then disabled so all 50 samples could be placed on the system. Once a scan was launched, they were all flagged and removed. The samples left on the system failed to execute.

All of the 50 samples were basic variants of the 'Zlob' family of Malware and other known and established malicious files. These were tested to measure how quickly Panda would react to not just a known threat, but also one that has existed for some time.

The scanning baseline for Cloud Antivirus was about 20 minutes for a full system check. This is faster than the results listed on the review of Panda Internet Security, but not as fast as we expected. On the lab computer, 5.80GBs of space was used on the disk. Of that space, 561MBs was used in a folder named 'content'.

The content folder consisted of simple files to add bulk and give Cloud Antivirus something to scan. The files used included fonts, images and icons, PHP, HTML, and CSS files, as well as ZIP and RAR archives for a total amount of 21,816 files. It should be noted that none of these files were malicious.

So, overall, the product performed as promised. While not based totally on the previous testing methods for the purpose of scoring, the Cloud Antivirus testing did use some of the criteria.

For that reason, Panda detected 88 out of 89 live samples tested. The sample left behind in the first set of testing, while flagged as suspicious, counts as a miss because it infected the system. In the live URL testing, Panda also worked as expected, despite allowing one URL to infect the system and failing to detect the actual loaders as Malware.

Bearing that in mind, Panda earned a score of 98.87 percent in Malware sample detection (89 samples valued at 1.13 points each, rounded up). With regard to the malicious URL testing, there were seven malicious files served up by the Web sites. Considering that on the second URL test Panda missed the Malware until a scan was launched, and it did infect the system, two samples were counted as a miss. For this test, Panda earned a total score of 71.4 percent (Seven samples worth 14.30 points each, rounded up).

The final score equals an average of 85 percent. Based on the scores alone, Panda’s Cloud Antivirus certainly lives up to its claims and, for free software, provides a strong layer of protection to any host system. The detection was fast, and the ease of use and operational controls were simple to use; we can honestly say that anyone can control the software with ease. Just remember, this is still only a single layer of security and will not provide complete protection from Spam or other Web-related threats, only active Malware on the system.

We'd also like to stress that this test was harsh on Panda for a reason, not that we are cruel when in the lab, but what hurt the average score were the two missed samples from the second URL test.

If we were to count them as successful, as they were flagged as harmful by Collective Intelligence after infecting the system during a scan, or count the second test where the same samples were blocked once they were known, then the score would change to an average of 99.44 percent. If we counted the second URL test as a wash, and simply docked Panda for one missed sample, the score would change again to 92.29 percent.

While we stand behind our first score of 85 percent, it's easy to see how the score can be changed depending on how our testing methods are viewed. The point for this disclosure is that Panda’s Cloud Antivirus delivers excellent protection and, for a free product, it certainly deserves user attention.